Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-00.txt

Hannes Tschofenig <Hannes.Tschofenig@arm.com> Mon, 21 March 2016 08:47 UTC

Return-Path: <hannes.tschofenig@arm.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6118712D6F6 for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 01:47:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -5.101
X-Spam-Level:
X-Spam-Status: No, score=-5.101 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H5=-1, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001, T_DKIM_INVALID=0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=fail (1024-bit key) reason="fail (message has been altered)" header.d=armh.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id LIr5LmfqcNxL for <oauth@ietfa.amsl.com>; Mon, 21 Mar 2016 01:47:54 -0700 (PDT)
Received: from eu-smtp-delivery-143.mimecast.com (eu-smtp-delivery-143.mimecast.com [146.101.78.143]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A56D812D706 for <oauth@ietf.org>; Mon, 21 Mar 2016 01:47:53 -0700 (PDT)
Received: from emea01-db3-obe.outbound.protection.outlook.com (mail-db3lrp0078.outbound.protection.outlook.com [213.199.154.78]) (Using TLS) by eu-smtp-1.mimecast.com with ESMTP id uk-mta-49-NuczpxNiSlyItwIZJEsd3g-1; Mon, 21 Mar 2016 08:47:50 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=armh.onmicrosoft.com; s=selector1-arm-com; h=From:To:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=TX5AeuTvEoGQFB4LyU2tU1mxC/ASugv0W7+8QDayY7o=; b=N3iV9vodMX88X6vl40o8rVMEzCQgdHAlH4e93y80qEDYGbRfVLRCz3rl9TilhQiBkwWfZ9PD29o9Ztuaxr0SXtlmTXEJ/gja5Ql5xVx982NJc72e39eHZ+rw5dR75zYWgj3+pEnwkPF9//iRI94ej0OtLqK6x3HLlsRp4YRO3AM=
Received: from AM4PR08MB1090.eurprd08.prod.outlook.com (10.167.91.144) by AM4PR08MB1092.eurprd08.prod.outlook.com (10.167.91.146) with Microsoft SMTP Server (TLS) id 15.1.434.16; Mon, 21 Mar 2016 08:47:49 +0000
Received: from AM4PR08MB1090.eurprd08.prod.outlook.com ([10.167.91.144]) by AM4PR08MB1090.eurprd08.prod.outlook.com ([10.167.91.144]) with mapi id 15.01.0434.021; Mon, 21 Mar 2016 08:47:49 +0000
From: Hannes Tschofenig <Hannes.Tschofenig@arm.com>
To: John Bradley <ve7jtb@ve7jtb.com>, Hannes Tschofenig <hannes.tschofenig@gmx.net>
Thread-Topic: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-00.txt
Thread-Index: AQHRgu36ts0EXZfJTU6RXY5Vtp4GI59jezsAgAAQyQCAAAmfEA==
Date: Mon, 21 Mar 2016 08:47:49 +0000
Message-ID: <AM4PR08MB10900FA59DF7F3CFDC0AEF32FA8F0@AM4PR08MB1090.eurprd08.prod.outlook.com>
References: <20160320201414.8930.5136.idtracker@ietfa.amsl.com> <E3F98B49-1A06-4B46-813B-6C54B824EFE9@ve7jtb.com> <56EF9E0E.6010404@gmx.net> <486347F9-07D0-4DB9-84AB-44FFFBCA2705@ve7jtb.com>
In-Reply-To: <486347F9-07D0-4DB9-84AB-44FFFBCA2705@ve7jtb.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [193.171.77.3]
x-ms-office365-filtering-correlation-id: b170f20a-164b-49dd-2035-08d351657b65
x-microsoft-exchange-diagnostics: 1; AM4PR08MB1092; 5:BeFp0N6xwuoM4ewkJb6Zbfs7GMgr28kHqLwY9ZiBKitKYaza3yrvkHL5DtW7eOfZRX/zhvnDGsi1lGfTohW+w+LMdv8CyTc7kqxo5oTmOvn4UlA4p3UGHhwLmFDRKgAu+Np3eRCQvavZr5oxC4Q0HA==; 24:OHE8jtt3L7oQ5gtRUBAAdxNw9oF4j9Opu+AhbCLgKVCEvj/jRXs6L0ACUGXH9iErH9s27Itl04MV9uSZ542IYeaJX8+kjRFgluh2AABrgxw=; 20:0e3cOtSZ9MQvWgww49+KrgujHC+fNsaR6XoM7lLCz/4baz1sCGQr6X//nO8sh8QpeA87BDj+zdltbzSt6k5w2+/9u3Uwj5bTbAwu5hsyg1E+VPWsuumPGBrQtarQeJV5O37kPB5c6xIKtgyhip8nzElqKG2bJEiULsZp/I2qajg=
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:AM4PR08MB1092;
x-microsoft-antispam-prvs: <AM4PR08MB1092C89935A5E37936E29901FA8F0@AM4PR08MB1092.eurprd08.prod.outlook.com>
x-exchange-antispam-report-test: UriScan:;
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(601004)(2401047)(8121501046)(5005006)(3002001)(10201501046); SRVR:AM4PR08MB1092; BCL:0; PCL:0; RULEID:; SRVR:AM4PR08MB1092;
x-forefront-prvs: 0888B1D284
x-forefront-antispam-report: SFV:NSPM; SFS:(10009020)(6009001)(377454003)(40434004)(377424004)(24454002)(66066001)(3660700001)(54356999)(7110500001)(50986999)(122556002)(76176999)(106116001)(2906002)(189998001)(3280700002)(10400500002)(15650500001)(19580405001)(5004730100002)(86362001)(19580395003)(2420400007)(81166005)(87936001)(5890100001)(102836003)(3846002)(6116002)(77096005)(5003600100002)(76576001)(5001770100001)(5008740100001)(586003)(230783001)(74316001)(11100500001)(5002640100001)(15975445007)(33656002)(2900100001)(2950100001)(1096002)(1220700001)(92566002)(93886004); DIR:OUT; SFP:1101; SCL:1; SRVR:AM4PR08MB1092; H:AM4PR08MB1090.eurprd08.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en;
spamdiagnosticoutput: 1:23
spamdiagnosticmetadata: NSPM
MIME-Version: 1.0
X-OriginatorOrg: arm.com
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Mar 2016 08:47:49.2049 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: f34e5979-57d9-4aaa-ad4d-b122a662184d
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM4PR08MB1092
X-MC-Unique: NuczpxNiSlyItwIZJEsd3g-1
Content-Type: text/plain; charset="WINDOWS-1252"
Content-Transfer-Encoding: quoted-printable
Archived-At: <http://mailarchive.ietf.org/arch/msg/oauth/Qj16CgKYMZ3lF9J0Rhjuyl15dQc>
Cc: "<oauth@ietf.org>" <oauth@ietf.org>
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-00.txt
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 21 Mar 2016 08:47:57 -0000

Hi John,

We certainly had some confusion about what is the best possible term for the client to indicate to the resource server what RS it wants to access and for the AS to say what RS the client is allowed to access.

For me the inband approach (either by carrying the information in the AT or by obtaining the information via token introspection in those cases where the AT is actually a reference rather than a self-contained token) is a useful approach that should have actually provided by the OAuth spec from the first day onwards.

The reason draft-tschofenig-oauth-audience-00 was not advanced at that time was that the group (at the time) wanted to include the functionality in the PoP token work, as you are very well aware of. In the meanwhile it seems that the group had again changed their mind and wants to rather progress the work as an independent doc.

Ciao
Hannes


-----Original Message-----
From: John Bradley [mailto:ve7jtb@ve7jtb.com]
Sent: 21 March 2016 09:09
To: Hannes Tschofenig
Cc: <oauth@ietf.org>; Hannes Tschofenig
Subject: Re: [OAUTH-WG] Fwd: New Version Notification for draft-campbell-oauth-resource-indicators-00.txt

Thanks Hannes

We should merge them they are very similar.

We made a distinction between the resource URI and the audience to try and avoid some confusion about overloading the term audience.

We also covered the security considerations around user hosted content and being specific about the resource to avoid leakage.

We were less concerned about talking about key material, or the type of token.

We wanted to be able to show the WG that audience restricting AT has different and I argue better security properties than doing out of band discovery of the resource to try and stop AT leakage.

John B.



> On Mar 21, 2016, at 7:09 AM, Hannes Tschofenig <hannes.tschofenig@gmx.net> wrote:
>
> FWIW: I also worth I wrote a draft a while ago about this topic:
> https://tools.ietf.org/html/draft-tschofenig-oauth-audience-00
>
> On 03/20/2016 10:17 PM, John Bradley wrote:
>> We have had a number of discussions  about splitting the audience part
>> of PoP key distribution out into it's own draft
>>
>> Phil also requested  a draft on how I propose propose that proper
>> audiencing of access tokens can mitigate against the threat of bearer
>> access token leakage.
>>
>> In response Brian Campbell and I have created a short 00 draft on how
>> the client can specify the resource that it is requesting a token for
>> without overloading scopes.
>>
>> I hope that this will make some of the issues clearer for our discussion.
>>
>> As Justin pointed out we may also want to separate out offline access
>> and some other common things from scope as well.  This is intended to
>> start the discussion not preclude other discussions around how to reduce
>> the overloading of scope.
>>
>> Regards
>> John Bradley
>>
>>
>>
>>> Begin forwarded message:
>>>
>>> *From: *internet-drafts@ietf.org <mailto:internet-drafts@ietf.org>
>>> *Subject: **New Version Notification for
>>> draft-campbell-oauth-resource-indicators-00.txt*
>>> *Date: *March 20, 2016 at 8:14:14 PM GMT
>>> *To: *"Brian Campbell" <brian.d.campbell@gmail.com
>>> <mailto:brian.d.campbell@gmail.com>>, "John Bradley"
>>> <ve7jtb@ve7jtb.com <mailto:ve7jtb@ve7jtb.com>>
>>>
>>>
>>> A new version of I-D, draft-campbell-oauth-resource-indicators-00.txt
>>> has been successfully submitted by Brian Campbell and posted to the
>>> IETF repository.
>>>
>>> Name:draft-campbell-oauth-resource-indicators
>>> Revision:00
>>> Title:Resource Indicators for OAuth 2.0
>>> Document date:2016-03-20
>>> Group:Individual Submission
>>> Pages:7
>>> URL:
>>>           https://www.ietf.org/internet-drafts/draft-campbell-oauth-resource-indicators-00.txt
>>> Status:
>>>        https://datatracker.ietf.org/doc/draft-campbell-oauth-resource-indicators/
>>> Htmlized:
>>>      https://tools.ietf.org/html/draft-campbell-oauth-resource-indicators-00
>>>
>>>
>>> Abstract:
>>>  This straw-man specification defines an extension to The OAuth 2.0
>>>  Authorization Framework that enables the client and authorization
>>>  server to more explicitly to communicate about the protected
>>>  resource(s) to be accessed.
>>>
>>>
>>>
>>>
>>> Please note that it may take a couple of minutes from the time of
>>> submission
>>> until the htmlized version and diff are available at tools.ietf.org
>>> <http://tools.ietf.org>.
>>>
>>> The IETF Secretariat
>>>
>>
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth

IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.